The researchers found the potentially vulnerable systems using the Shodan search engine and searching for control-systems-related terms such as Scada (supervisory control and data acquisition). The researchers are worried that cyber-attackers could use the search engine in a similar way as a shortcut to finding vulnerable control systems and thus threaten or attack critical infrastructure.

In a recent alert, ICS-CERT says it is working with the researchers and industry partners to notify owners of the identified IP addresses. But it also recommends that control system owners and operators should audit their own systems to ensure that strong authentication and login systems are implemented, along with other defensive measures.

ICS-CERT also recommends that control system operators should use search engines such as Shodan or Eripp to audit their own networks and devices to locate Internet-connected control system devices that could be compromised. If they find potentially vulnerable devices, ICS-CERT suggests that they should remove these devices from direct or unsecured Internet access “as soon as possible”.

The Shodan and Eripp search engines can be used to identify and access control systems via the Internet. ICS-CERT warns that by combining these engines with easily available exploitation tools, potential attackers could access control systems much easier than previously.

Earlier this year, the organisation reported that several exploit tools had been released that could target PLCs from GE, Rockwell Automation, Schneider Electric and Koyo. One of the tools also targets the EtherNet/IP protocol used by many controls suppliers, and could be used to crash or restart affected devices.